A user owning a personal mobile device (e.g., smartphone, tablet, etc.) may desire to install certain “workplace” mobile applications (e.g., email, calendar, etc.) relating to his work as an employee of a business on his mobile device rather than carry an additional mobile device for work purposes. In situations where an employer permits the user to utilize his personal mobile device to install and run such workspace applications, the employer typically imposes certain security measures or policies on the user's personal device to ensure that enterprise data that is accessed or stored on the personal mobile device is secure.
In order to impose such security measures on personal mobile devices, the employer may utilize a mobile device management (MDM) solution that utilizes an MDM server running on the employer's premises to remotely communicate with a user's mobile device to configure and impose security restrictions. For example, certain mobile operating systems (OSs), such as Apple's iOS on its iPhone and iPad mobile devices, include certain application programming interfaces (APIs) and process flows that enable an MDM server to wirelessly communicate with a mobile device in order to transmit a “configuration profile” to the mobile OS, which, in turn, understands the format of the configuration profile and is thus able to load certain settings and authorization information consistent with the configuration profile. In the case of iOS, a configuration profile may take the form of an XML file that contains a list of settings or properties (sometimes referred to as a .plist file) relating to the employer's security policies, such as restrictions on device features (e.g., camera use, etc.), Wi-Fi settings, VPN settings, email and calendar accounts, authentication credentials and the like. Once an initial configuration profile is established between a mobile device and the MDM server, the MDM server may be able to remotely execute security-related operations on the mobile device such as device lock, device wipe (to erase data on the device), etc. as well as update the configuration profile with new or different security properties.
However, current MDM solutions exert a high level of control on mobile devices, typically, as mentioned above, enabling an employer to remotely lock the user's entire device or erase the entirety of the user's device. As such, employees are increasingly reluctant to relinquish such control of their personal mobile devices to their employer's MDM systems. Alternative less “heavy-handed” approaches that exert control only on the data and applications in a user's personal mobile device that are relevant to the user's employment (e.g., “workspace” data and applications) do exist. For example, the approaches described in U.S. patent application Ser. No. 13/595,881 filed on Aug. 27, 2012 and entitled “Method and System for Facilitating Isolated Workspace for Applications” (which is hereby incorporated by reference and referred to herein as the “'881 Application”) utilize a management application locally resident on the mobile device to assist in imposing security policies only around workspace data and applications. Such alternative approaches, however, cannot currently leverage the configuration profile capabilities (i.e., to provide certain security features to a “workspace” environment on the mobile device) supported by mobile OSs such as iOS, since such capabilities are only accessible by conventional MDM servers. In particular, current mobile OSs such as iOS do not provide a mechanism for a local application, (such as the local management application such as described in the '881 Application) to test for or “validate” the presence of a configuration profile that may be downloaded and installed on the mobile OS. Since the local application cannot validate the existence of a configuration profile on the mobile OS, it cannot ensure that certain security settings on a mobile device have been put in place by the loading of a configuration profile by the mobile OS prior to providing access to the workspace environment.